This preview shows page 1. Sign up to view the full content.
Unformatted text preview: S. government has a potential impact rating of low, moderate, or high with respect to the
6 Please note that the base confidentiality, integrity and availability impact metrics, themselves, are not changed. 11 THE COMMON VULNERABILITY SCORING SYSTEM (CVSS) AND ITS APPLICABILITY TO FEDERAL AGENCY SYSTEMS security objectives of confidentiality, integrity, and availability. This rating system is described within
Federal Information Processing Standards (FIPS) 199. 7 Additional information concerning the use of
FIPS 199 ratings within CVSS can be found in Section 4. CVSS follows this general model of FIPS 199,
but does not require organizations to use any particular system for assigning the low, medium, and high
Table 12. Security Requirements Scoring Evaluation
Metric Value Description Low (L) Loss of [confidentiality | integrity | availability] is likely to have only a limited adverse effect on
the organization or individuals associated with the organization (e.g., employees, customers). Medium (M) Loss of [confidentiality | integrity | availability] is likely to have a serious adverse effect on the
organization or individuals associated with the organization (e.g., employees, customers). High (H) Loss of [confidentiality | integrity | availability] is likely to have a catastrophic adverse effect on
the organization or individuals associated with the organization (e.g., employees, customers). Not Defined (ND) Assigning this value to the metric will not influence the score. It is a signal to the equation to
skip this metric. 2.4 Base, Temporal, Environmental Vectors Each metric in the vector consists of the abbreviated metric name, followed by a “:” (colon), then the
abbreviated metric value. The vector lists these metrics in a predetermined order, using the “/” (slash)
character to separate the metrics. If a temporal or environmental metric is not to be used, it is given a
value of “ND” (not defined). The base, temporal, and environmental vectors are shown below in Table
Table 13. Base, Temporal and Environmental Vectors
Metric Group Vector Base AV:[L,A,N]/AC:[H,M,L]/Au:[M,S,N]/C:[N,P,C]/I:[N,P,C]/A:[N,P,C] Temporal E:[U,POC,F,H,ND]/RL:[OF,TF,W,U,ND]/RC:[UC,UR,C,ND] Environmental CDP:[N,L,LM,MH,H,ND]/TD:[N,L,M,H,ND]/CR:[L,M,H,ND]/
IR:[L,M,H,ND]/AR:[L,M,H,ND] For example, a vulnerability with base metric values of “Access Vector: Low, Access Complexity:
Medium, Authentication: None, Confidentiality Impact: None, Integrity Impact: Partial, Availability
Impact: Complete” would have the following base vector: “AV:L/AC:M/Au:N/C:N/I:P/A:C.” 7 See http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf 12 THE COMMON VULNERABILITY SCORING SYSTEM (CVSS) AND ITS APPLICABILITY TO FEDERAL AGENCY SYSTEMS 3. Scoring This section explains how CVSS scoring is performed. It first provides guidelines on performing scoring.
Next, it defines the equations used for base, temporal, and environmental score generation. Finally, it
provides scoring examples to help il...
View Full Document
This document was uploaded on 03/19/2014 for the course IS 4799 at ITT Tech Flint.
- Spring '14